Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update IP package in Node to 2.0.1 (CVE-2023-42282) #3245

Open
hiwit opened this issue Apr 16, 2024 · 1 comment
Open

Update IP package in Node to 2.0.1 (CVE-2023-42282) #3245

hiwit opened this issue Apr 16, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@hiwit
Copy link

hiwit commented Apr 16, 2024

The provided Node package (externals/nodeXX) contains the node-ip version <2.0.1 which might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. (https://nvd.nist.gov/vuln/detail/CVE-2023-42282)

When action-runner is deployed as ECS task this is reported as a finding/vulnerability

Runner Version and Platform

3.15.0 Linux (probably all other platforms as well)
@hiwit hiwit added the bug Something isn't working label Apr 16, 2024
@SajeedAnsari
Copy link

It seems that both the action-runner images (v2.314.1 and possibly v2.315.0, if details haven't changed) are still facing the CVE-2023-42282 vulnerability associated with the 'ip' package. The 'ip' package version remains below 2.0.1, making it vulnerable. Could you help us address this issue?

@pje pje mentioned this issue May 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hiwit @SajeedAnsari